What is Strong Customer Authentication?

Updated 3 weeks ago

In 2019, the European Union (EU) adopted new legislation under the Payment Service Directive (PSD2) to reduce fraud and make transactions more secure for online businesses located in the European Economic Area (EEA).

A part of this legislation—Strong Customer Authentication (SCA)—requires all online businesses, including Booking.com, to implement more thorough authentication measures on transactions when both the card holder’s and the business’s bank are located in the EEA.

These measures ensure that the customer (in this case, your guest) is the rightful card owner. If no SCA is provided, banks are legally required to decline the payment.

Strong Customer Authentication means your guests’ identities will need to be verified thoroughly. In other words, the guest needs to prove that they’re the card owner by using two of the three methods* of authentication shown below:

 

Image
graphic_strong_customer_authentication

*Something that the customer knows (password or PIN), has (phone), or is (fingerprint).

 

Note: From January 1, 2021, depending on the implementation of each country, banks will decline payments that require Strong Customer Authentication but don’t meet these criteria.

 

Even though the legislation went into effect on September 14, 2019, a new deadline on January 1, 2021 was introduced to enable a smoother transition period for online businesses that provide these SCA measures. While SCA is expected to be rolled out on January 1, 2021, each country will set its own timeline to implement the legislation.

Jump to:

 

When will Strong Customer Authentication apply?

How will Booking.com support me?

    - Payments partially managed by Booking.com

    - All payments managed by Booking.com

Why is the new legislation called PSD2?

Which territories will SCA under PSD2 apply to?

What does it mean for your country?


 

When will Strong Customer Authentication apply?

Strong Customer Authentication will apply if you’re charging a credit or debit card that’s issued by a European Economic Area (EEA) entity and you’re based in the EEA. Whenever you attempt to charge a card that isn’t physically inserted into your Point of Sale (POS) machine, Strong Customer Authentication will need to be applied.


 

How will Booking.com support me?

Any reservations facilitated by Payments by Booking.com will have Strong Customer Authentication performed by Booking.com. 

    - Payments partially managed by Booking.com

 

If you’re already using Online Payments with some of your payments facilitated by Booking.com, this is how we’ll support you:

When you won’t need to worry about SCA

When a guest pays through our Online Payments service, first we’ll authenticate their payment, then send you a virtual credit card that you can to charge as usual. Virtual credit cards from Booking.com are out of the scope of SCA, so they aren’t allowed to be blocked by the bank.

If a guest pays you in person, and you charge their card at check-in or check-out, you can continue to do so. SCA shouldn’t apply.

When SCA may apply

If you charge guests’ cards remotely (for example for pre-payments, deposits, or no-show fees), SCA may apply.

While Booking.com doesn’t process these payments, we’ll support you to minimize operational impact on you due to SCA. At the time of reservation, Booking.com will assess whether a guest’s payment could be subject to SCA:

  • If we believe SCA might apply, we’ll ask the guest to pay through our Online Payments service.
  • If we believe the payment isn’t subject to SCA, your guests can continue to pay either online or you directly. In case you’re unable to charge a guest’s card remotely, you can mark it as invalid and we’ll attempt to recover the payment.

All payments managed by Booking.com

 

If you have all your payments facilitated by Booking.com, you don’t need to take any action. We’ll take care of authenticating all your customers’ payment transactions for reservations made on Booking.com.

What if I don’t want to use Online Payments or Payments by Booking.com?

We can only support you for SCA if you sign up for a Payments product. If you don’t sign up for one, you’ll need to manage your guests’ payments and perform SCA when necessary. For more info, contact your bank or payment service provider, or take a look at the links in the “Next steps” section below. 

What should I do if I’m not eligible for Online Payments or Payments by Booking.com?

Contact your bank or payment service provider, who can advise you on the new PSD2 legislation and how to make sure you meet the SCA requirements. You can also take a look at the links in the “Next steps” section below. 

What should I do if I get declined transactions?

If you get declined transactions, you can use the invalid credit card process to mark guest cards as invalid. To help you successfully charge customer cards, we’re currently enhancing the invalid credit card process to align with SCA requirements. We’ll share regular updates about this solution with you.

Next steps

We’ll post more content informing you about Strong Customer Authentication and clarifying how the legislation could impact you, as well as how you can prepare for its introduction.

In the meantime, you can learn more about SCA from the European CommissionAdyen, Stripe, or JPMorgan


 

Why is the new legislation called PSD2?

PSD2 stands for Payment Service Directive 2, an iteration of the current payment service directive. The iteration calls for even stronger customer authentication for online payments/purchases. Strong Customer Authentication is referred to as SCA. So PSD2 is the regulation itself whereas SCA refers to the actions needed to comply with PSD2.


 

Which territories will SCA under PSD2 apply to?

Within Europe, meaning the business from which a customer wants to purchase something is in a country within the EEA, and the customer’s bank/credit card company is also located within the EEA.

PSD2 applies to the following countries:

  • Austria 
  • Belgium 
  • Bulgaria 
  • Croatia 
  • Republic of Cyprus 
  • Czech Republic 
  • Denmark 
  • Estonia 
  • Finland 
  • France 
  • Germany 
  • Greece 
  • Hungary 
  • Iceland 
  • Ireland 
  • Italy 
  • Latvia 
  • Liechtenstein 
  • Lithuania 
  • Luxembourg 
  • Malta 
  • Monaco 
  • Netherlands 
  • Norway 
  • Poland 
  • Portugal 
  • Romania 
  • Slovakia 
  • Slovenia 
  • Spain
  • Sweden
  • Switzerland
  • UK

 

What does it mean for your country?

Not all countries follow the same enforcement timelines. Check this page regularly for the latest country updates.

Country

Enforcement date

France

March 14, 2021

Germany

March 15, 2021

UK

September 14, 2021

The extended grace period only applies to domestic payments taken within the country itself. That means if a business in these countries collects any cross-border payments from elsewhere in the EEA, SCA may still apply to them.

What do you think of this page?

Updated: Recovery Toolkit

New advice and insights to attract demand.

Read more